Secure the Raspberry Pi

If you make the Raspberry Pi accessible via the internet then it must be properly secured.


We have already secured SSH access with keys, so access with a password is no longer desirable. Amend file /etc/ssh/sshd_config. It is a large file so let’s open the file from WinSCP with Notepad ++.
Make sure that the following lines are in the file:

  • Check: ChallengeResponseAuthentication no
  • #PasswordAuthentication yes change to: PasswordAuthentication no
  • Change UsePAM yes to: UsePAM no

After saving, the SSH service must be restarted: sudo service ssh restart
Now try to log in via user + password. That should be impossible. Do this for example via a new site in WinSCP.


As a sudoer, you can log in to the database with the root user without a password. It might be better to secure the root user of the database with a password.

  • Login to the database with command: sudo mysql -u root
  • Type in the mysql prompt: use mysql;
  • Type:
  • UPDATE user
    SET plugin = ‘’, authentication_string=PASSWORD(“< a strong password>”)
    WHERE User=’root’;
  • Type: FLUSH privileges;

Close the mysql session with: quit
You can now no longer log in to mysql without a password.
You now have to login with: mysql -uroot -p
Note: no space between -p and the password!


Install via command: sudo apt-get install ufw

Then set up the required ports
• sudo ufw allow ssh
• sudo ufw allow 80/tcp
• sudo ufw allow 443/tcp

If everything is configured then activate the firewall: sudo ufw enable
and check if everything is to your liking with: sudo ufw status

The configuration opens ports in the firewall. We must prevent undesirable behavior on these ports. We install fail2ban for that:
sudo apt-get install fail2ban

To activate the configuration copy:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then restart: sudo service fail2ban restart

Pi user

The pi-user exists on every Raspberry pi and can therefore not be used for safety reasons. Creating a sudo-user to replace the user pi is therefore a good idea.
Keep in mind that certain features of the Raspberry pi Desktop are hard-coded associated with the pi-user! After deactivating the pi-user, this will no longer work!
sudo useradd – groups sudo-m
sudo passwd
Enter a password for the new user.
If you want to be able to run sudo without a password with , you must place a file in /etc/sudoers.d. Take file 010_pi-nopasswd as an example.
Copy /home/pi/.ssh/authorizeds_keys to the corresponding location of the and adjust owner and group to the new user.
Finally: sudo passwd –lock pi
You can no longer log in with the pi-user. Also remove /home/pi/.ssh

Automate updates of the software

Install: apt-get install unattended upgrades
Add the lines below to the “Unattended-Upgrade :: Origins-Pattern” section in file /etc/apt/apt.conf.d/50unattendedupgrades.

"origin = Raspbian, codename = $ {distro_codename}, label = Raspbian";
 "origin = Raspberry Pi Foundation, codename = $ {distro_codename}, label = Raspberry Pi Foundation";

Normally there is no reboot, even if desireable. You can change the automatic reboot rule:
// Unattended-Upgrade :: Automatic-Reboot “false”;
Unattended-Upgrade :: Automatic-Reboot “true”;

Previous pageNext page